The CDC Certification and Accreditation (C&A) Process

All information systems developed by CDC's National Program of Cancer Registries (NPCR) adhere to the standards defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (PDF-738KB). This publication provides guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government, and these guidelines apply to all federal information systems except national security systems.

The CDC C&A process ensures that all information systems made available by CDC to implement the NPCR meet or exceed the C&A accreditation standards when operated with appropriate management review. It requires ongoing security control monitoring and reaccreditations periodically or when there is a significant change to an information system or its environment.

• Security certification is a comprehensive evaluation of CDC's management, operational, and technical security controls for an information system. It documents the effectiveness of the security controls in a particular operational environment and includes recommendations for new controls to mitigate system vulnerabilities. Security certification results are used to assess risks to the system and update the system's security plan.



• Security accreditation is CDC management's official decision to authorize an information system to operate. By accrediting an information system, a CDC official explicitly accepts responsibility for adverse impacts to CDC resulting from the documented risk levels for the system. The certification documents provide the factual basis for a security accreditation decision. CDC officials must have the most complete, accurate, and trustworthy information possible to make credible, risk-based decisions on whether to authorize system operation. A system can be accredited for as long as three years.

Sample CDC C&A Checklist

A generic version of NIST's checklist (DOC-687KB) for an application that is considered a moderate threat to go through the the CDC C&A process is available. It provides the minimum checklist of controls reviewed for the application reviewed.

Web Plus Security Features and Recommendations

Web Plus is a highly secure application that can be used to transmit confidential patient data between reporting locations and a central registry safely over the Internet. See Security Features in Web Plus for basic information and Maximizing Data Security in Web Plus for technical information.

Please note: Some of these publications are available for download only as *.pdf files. These files require Adobe Acrobat Reader in order to be viewed. Please review the information on downloading and using Acrobat Reader software.

Please note: Some of these publications are available for download only as *.doc files. These files require Microsoft Word in order to be viewed. Please review the information on downloading and using Word Viewer software.